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2  Summary  of  Technical  Progress 

A  major  revision  was  made  to  the  formal  semantic  model  for  real-time  concurrency  under  limited 
parallelism.  The  revision  was  required  to  simplify  the  model.  The  basic  elements  of  the  revision 
dealt  with  observing  proce.sses  against  the  local  clocks  of  processors  and  relating  those  observations 
to  the  global  clock.  The  paper  has  been  accepted  for  publication  in  Information  and  Computation 
subject  to  these  revisions.  This  work  has  been  done  in  collaboration  with  the  graduate  student  Eric 
Shade. 

.Several  notational  simplifications  liave  been  broughtforth  in  tlie  formal  specification  of  the  dialog 
system.  The  specification  notation  is  made  to  conform  to  the  latest  Z-Language  Standard.  A  part  of 
the  work  dealing  with  the  Formal  Specification  of  a  Look  Manager  has  been  published  in  the  special 
issue  on  formal  methods  of  the  IEEE  Transactions  on  Software  Engineering,  Sep  1990.  Another  part 
dealing  with  the  Invariant  Propoerties  in  the  Dialog  System  has  appeared  in  the  Proceedings  of  the 
ACM  Workshop  on  Formal  Methods,  May  1990.  The  specification  of  the  design  of  the  complete 
dialog  system  is  currently  going  through  a  second  iteration.  Meanwhile  we  spent  a  lot  of  effort 
in  implementing  a  synta.x  directed  incremental  specification  environment  for  the  Z-notation.  The 
environment  interfaces  nicely  with  the  X- Window  system. Currently  type  inference  systems  are  being 
integrated  to  the  incremental  editing  environment.  This  work  was  done  in  collaboration  with  the 
graduate  student  Sanjeev  Dharap.  - 

Some  conceptual  simplifications  are  brought  to  bear  on  the  language  concept  of  tri-sections. 
These  simplification  will  enhance  the  power  of  the  notation  while  retaining  the  capability  for  cre¬ 
ating  regions  of  ma.ximal  parallelism  in  an  otherwi.se  limiteil  parallel  execution  model.  The  formal 
semantics  of  the  concepts  will  appear  as  part  of  Eric  Sliade’s  doctoral  dissertation. 
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2.1  Semantic  Models  for  Real-time  Concurrency 

In  recent  years  the  development  and  the  use  of  real-time  systems  hcis  increased  dramaticadly.  Real¬ 
time  systems  are  used  in  applications  where  timing  behavior  is  absolutely  critical,  such  as  patient 
monitoring  systems,  fly-by- wire  avionic  systems,  and  manufacturing  control  systems.  Although 
more  sophisticated  communication  .scliemes  are  available,  the  shared-variable  paradigm  is  frequently 
employed  in  real-time  .systems.  Practical  limitations,  both  physical  and  economic,  often  restrict  the 
number  of  physical  processors  which  are  available.  A  system  may  even  be  composed  of  dissimilar 
physical  processors,  none  of  which  run  at  the  same  speed.  For  e.xample,  a  system  may  consist  of 
a  single  high-speed  processor  which  is  used  solely  for  critical  tasks,  along  with  one  or  more  slower 
processors  on  which  the  remainder  of  the  work  is  distributed. 

Clearly,  these  factors  have  a  tremendous  influence  on  the  behavior  of  a  real-time  system.  As 
such,  there  is  a  need  for  semantic  models  which  take  the  execution  environment  of  a  system  into 
account.  In  this  paper,  we  provide  a  semantic  model  for  real-time  concurrency  which  accounts  for 

•  shared  variables  (the  CREW,  EREW  and  bus-arbitration  models), 

•  limited  parallelism,  in  which  the  number  of  processes  may  exceed  the  number  of  physical 
processors,  and 

•  asynchronous  processors,  where  the  conceptual  speed  of  each  physical  processor  depends  on  a 
local  clock. 

We  provide  a  denotational  semantics  for  a  small,  but  realistic,  real-time  concurrent  programming 
language  L.  The  language  uses  shared  variables  for  process  cooperation,  and  supports  atomic  actions, 
process  synchronization,  and  a  delay  command  for  real-time  control.  It  contains  alternative  and 
repetitive  commands  based  on  guarded  commands  Dijkstra  (1976).  Features  of  the  language 
appear  in  various  forms  in  real-time  languages  such  as  CHILL  Branquart,  Louis  and  Wodon 
(1982),  Ada  Ada  (1983),  and  Occam  Occam  (1984).  The  primitives  of  the  language  are  sufficiently 
low-level  that  a  rich  variety  of  “high-level”  constructs  can  be  implemented  and  analyzed  using  the 
semantic  model. 

Our  work  is  closely  related  to  KoymaNS  el.  al.  (1988),  which  provides  a  linear-history  semantics 
for  a  real-time  variant  of  CSF  IIoarf,  ( 1 978)  under  maximal  parallelism.  In  that  model,  each  process 
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has  its  own  processor,  and  ail  processors  are  synchronized  via  a  conceptual  global  clock  Salwicki 
AND  Muldner  (1981).  Their  work  is  an  extension  of  Francez,  Lehman  AND  Pnueli  (1984)  to 
real-time  concurrency. 

Other  semantic  models  for  real-time  concurrency  bcised  on  maximal  parallelism  have  been  ex¬ 
plored  in  Gerth  and  Boucher  (1987),  Huizing,  Gerth,  and  de  Roever  (1987),  and  Shya- 
MASUNDAR,  Narayana,  AND  PiTASSi  (1987).  For  a  slightly  different  approach,  see  for  example 
sees  Milner  (1983)  and  Reed  and  Roscoe  (1985). 

Execution  Models 

A  real-time  program  is  the  parallel  composition  of  one  or  more  sequential  processes.  We  do  not 
consider  nested  parallelism  in  this  work.  Programs  are  executed  on  a  MIMD  (multiple-instruction, 
multiple-data)  shared-memory  machine  which  consists  of  one  or  more  physical  processors  running 
concurrently. 

Each  physical  processor  has  its  own  local  memory,  and  in  addition  there  is  a  single  shared  memory 
which  can  be  accessed  by  any  processor  For  simplicity  we  assume  that  each  shared  variable  in  a 
program  occupies  one  location  in  the  shared  memory.  There  are  three  basic  models  of  shared  variable 
access: 

•  CREW  (concurrent  read,  exclusive  write).  Any  number  of  processes  may  reaul  from  a  single 
variable  simultaneously.  If  a  variable  is  being  written  to,  no  other  read  or  write  of  that  variable 
can  occur  simultaneously. 

•  EREW  (exclusive  read,  exclusive  write).  There  can  be  at  most  one  read  or  write  access  of  a 
variable  at  a  time. 

•  Bus-arbitration.  Access  to  the  shared-memory  is  controlled  by  a  single  bus  which  can  only 
service  one  request  at  a  time.  No  simultaneous  accesses  of  any  kind  are  permitted,  even  of 
different  variables. 

In  all  of  the  models,  a  processor  can  only  access  one  variable  at  a  lime,  although  it  could  conceivably 
be  waiting  to  access  more  than  one  variable.  We  a.ssume  that  all  memory  accesses  will  be  resolved 
within  a  finite  period  of  time.  6  denotes  the  maximum  amount  of  global  time  that  a  process  must 
wait  before  it  is  granted  access  to  a  variable.  The  function  6  is  a  parameter  of  the  model,  and  is 
obviously  dependent  on  p. 

A  real-time  execution  model  must  specify  three  things:  the  number  of  available  processors,  the 
speed  of  the  processors,  and  the  allocation  of  processors  to  processes.  Throughout  this  work  we 
aissume  that  there  are  p  processors,  numbered  from  1  to  p.  There  are  two  basic  execution  models, 
the  maximal  and  limited  parallelism  models.  In  the  maximal  parallelism  model,  p  is  equal  to  the 
number  of  processes.  Each  process  is  allocated  a  processor  which  it  uses  until  program  termination. 
The  processors  all  run  at  the  same  speed,  and  are  synchronized  via  a  conceptual  global  clock.  During 
one  “tick”  of  the  clock,  all  of  the  processors  simultaneou.sly  perform  one  machine  instruction.  We 
assume  that  time  is  discrete. 

In  the  limited  parallelism  model,  p  may  be  less  than  the  number  of  processes.  Therefore  process 
scheduling  is  required  to  make  good  use  of  the  available  processors.  In  order  to  make  our  semantic 


model  as  general  as  possible,  we  make  minimal  assumptions  about  the  scheduler.  As  long  as  it  does 
not  violate  the  program  semantics,  the  scheduler  is  free  to  move  processes  between  processors  at  will. 
The  one  requirement  is  that  there  must  be  a  delay  of  at  least  one  global  time  unit  before  a  process 
is  switched  from  one  processor  to  another.  This  is  to  prevent  pointless  process  swapping.  We  call 
such  a  scheduler  an  tnsianianeous  scheduler.  Of  course,  real  schedulers  are  far  more  complex  than 
this,  but  it  provides  an  excellent  basis  for  a  formal  model  which  can  easily  be  enhanced  to  account 
for  more  realistic  systems. 

In  both  models,  maximal  throughput  is  enforced.  Given  a  choice  between  executing  an  action 
or  idling  (possibly  waiting  for  some  event  to  occur),  a  processor  must  always  choose  to  perform  an 
action  as  soon  as  possible.  Further,  processors  may  not  go  unused  if  there  is  a  process  waiting  for 
execution.  This  locally  maximizes  processor  utilization,  but  does  not  guarantee  that  the  (global) 
execution  time  of  the  program  will  be  minimal. 

The  limited  parallelism  model  can  be  generalized  by  considering  asynchronous  processors.  In 
addition  to  the  global  clock,  each  proce.ssor  has  its  own  local  c]ocV..  Each  “tick”  of  a  local  clock  takes 
a  discrete  non-zero  amount  of  global  time,  which  is  the  speed  of  the  processor.  The  function  9  maps 
processors  to  their  speeds.  For  example,  if  5(4)  =  3  and  5(1)  =  2,  then  processor  4  runs  50%  more 
slowly  than  processor  1. 

It  is  important  to  note  that  limited  parallelism  and  interleaving  are  very  distinct  models.  Inter¬ 
leaving  models  represent  the  minimal  assumptions  necessary  to  ensure  (qualitatively)  correct  execu¬ 
tion  of  concurrent  programs.  They  impose  the  least  possible  implementation  restrictions.  Limited 
parallelism,  on  the  other  hand,  is  a  real-time  model  which  enforces  maximal  throughput,  and  makes 
the  processor  resources  explicit,  A  limited  parallelism  model  has  three  parameters:  p,  the  number  of 
physical  processors;  5,  the  maximum  delay  for  shared  memory  access;  and  5,  the  processor  speeds. 
By  choosing  p  to  equal  the  number  of  processes  and  choosing  9{i)  to  be  one  for  1  <  »  <  p,  maximal 
parallelism  is  just  a  special  case  of  limited  parallelism. 

In  this  work,  we  consider  three  languages.  \  language  which  consists  of  shared  variables 
and  an  assignment  statement,  sequential  composition,  and  parallel  composition.  The  denotational 
semantics  formulates  the  verification  conditions  with  respect  to  memory  access  schemes.  We  sub¬ 
sequently  introduce  a  simple  language  Ls  with  synchronization  and  atomic  actions  Because  syn¬ 
chronization  between  processes,  and  entry  to  atomic  actions  is  recognizable  against  a  global  clock, 
observing  processes  can  be  tricky.  We  seek  to  observe  processes  at  two  levels.  In  the  a  pt'ori  seman¬ 
tics,  we  observe  process  events  irrespective  of  the  processors,  or  their  speeds.  We  then  impose  process 
speeds  on  the  observed  a  priori  semantics  after  modifying  observations  with  respect  to  synchroniza¬ 
tion  and  entry  to  atomic  action  elements.  This  leads  to  a  simpler  semantics.  Further  at  every  action 
of  a  process,  the  process  can  potentially  wait  in  the  scheduler.  This  fact  is  taken  into  account.  While 
composing  the  processes,  maximal  throughput  is  achieved,  this  means  that  no  processor  idles  unless 
prohibited  by  synchronization  constraints.  Finally,  we  consider  a  full  complement  of  the  language  L 
consisting  of  La  and  Ls  and  an  alternative  and  repetetive  construct.  This  development  shows  how 
concepts  can  interact  when  put  together  particularly  in  a  limited  parallelism  environment.  We  also 
prove  that  mrLximal  parallelism  is  a  special  case  of  limited  parallelism.  Finally  in  the  work,  we  show 
how  to  impose  scheduling  di.scijdines  like  priorities,  and  placed  processes  etc. 

This  work  is  being  done  in  collaboration  with  the  graduate  student  Eric  Shade. 
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3  Formal  Design  of  Dialog  Systems 

This  year  we  have  sought  to  extend  and  simplify  the  formal  design  of  the  dialog  system.  This 
simplification  and  revision  led  to  the  publication  of  components  of  the  system  as  two  papers.  Our 
central  interest  in  this  aspect  has  been  to  obtain  an  understanding  of  the  Z  specification  lamguage 
and  apply  the  same  to  large  scale  industrial  size  problems.  Since  the  notations  combine  graphical 
text,  we  felt  the  need  for  developing  a  syntax  directed  specification  environment  for  the  Z  notation. 
We  built  an  incremental  editing  environment  in  which  Z  schemas  can  be  treated  as  windows  in 
X-Window  model.  The  initial  environment  was  set  up  against  the  notation  given  in  the  book  by  Ian 
Hayes.  Most  recently  a  new  standard  for  the  Z  notation  has  been  defined  by  people  at  Oxford.  We 
are  currently  redesigning  the  system  so  that  it  can  accept  the  latest  Z  language.  In  addition  work  is 
in  progress  towards  integrating  type  inference  systems  in  the  incremental  environment.  This  work 
is  being  done  in  collaboration  with  the  graduate  student  S.  Dharap  from  Penn  State. 
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